Note that on enabling Diagnostics & Management, the Basic monitoring preferred credential can be set to use the ADBSNMP user, however, it's recommended that you set the Advanced diagnostics preferred credential to use the ADMIN user, or set the session credential to use the ADMIN user. This is because some of the advanced monitoring and management features like Performance Hub require additional privileges, which the ADBSNMP user does not have.

Use the Oracle Cloud Infrastructure Vault service to save the database user password in a secret with an encryption key. The Vault service is a managed service that enables you to centrally manage the encryption keys that protect your data and the secret credentials that you use to securely access resources. Note that if you change the database user password, then you must also update the secret with the new password by creating a new version of the secret and updating the contents.

For information on the required database user privileges, see Database User Privileges Required for Diagnostics & Management.

For information on the Vault service, its concepts, and how to create vaults, keys, and secrets, see Vault.

For Autonomous Database Serverless

There are three types of network access options available for Autonomous Database Serverless and to confirm which of the options to use or to update network access, go to the Autonomous Database details page.

Note that if mutual TLS (mTLS) authentication is required, you must download the wallet and save it in a Vault service secret. This secret is required when enabling Diagnostics & Management for the Autonomous Database. For more information, see the last row of this table.

• Secure access from everywhere: To use this option, a private endpoint is not required, however, mTLS authentication is required.
• Secure access from allowed IPs and VCNs only: To use this option, you must:
  1. Ensure that a VCN and subnet are available. You can either create a VCN or use an existing VCN.
  2. Create a Database Management private endpoint that acts as Database Management's network point of presence in the VCN.
  3. Ensure that the VCN is added to the Access Control Rules (ACLs) to communicate with the Autonomous Database. If the IP address or CIDR for the VCN is added to the ACL, you must ensure that it includes the IP address of the Database Management private point or the IP ranges of the subnet containing the Database Management private endpoint.
  4. Ensure that a service gateway is available for the VCN, and the subnet has access to the service gateway.
  5. Add ingress and egress security rules (TCP protocol, port 1521 or 1522) to NSGs or Security Lists in the VCN to enable communication between the Database Management private endpoint and the Autonomous Database.
• Private endpoint access only: To use this option, you must:
  1. Create a Database Management private endpoint in the Autonomous Database VCN. If the Autonomous Database is in a private subnet in the VCN, it's recommended that the Database Management private endpoint also resides in the same subnet. If there's an existing Database Management private endpoint in the same VCN, you can reuse it even if it's not in the same subnet.
  2. Add ingress and egress security rules (TCP protocol, port 1521 or 1522) to NSGs or Security Lists in the VCN to enable communication between the Database Management private endpoint and the Autonomous Database. If an NSG or Security List is not available, create one and add ingress and egress security rules on TCP protocol with a port used for JDBC for the subnet IP CIDR.

     Note that if the Autonomous Database and the Database Management private endpoint are not in the same subnet, you must:

     • Replace the JDBC port constraint with All on the non-database end.
     • Replace the subnet IP CIDR with the VCN IP CIDR.

For Autonomous Database on Dedicated Exadata Infrastructure

You must create a Database Management private endpoint. When creating a Database Management private endpoint for Autonomous Databases on Dedicated Exadata Infrastructure, select the Use this private endpoint for RAC databases or Dedicated Autonomous Databases option. By default, TLS walletless connections are enabled when provisioning Autonomous Exadata VM Cluster (AVMC) and a wallet is not required, however, if network settings are configured for mTLS and mTLS connections are selected, then you must download the wallet and save it in a Vault service secret. This secret is required when enabling Diagnostics & Management for the Autonomous Database on Dedicated Exadata Infrastructure. For more information, see the last row of this table.

For information on how to access Autonomous Database Serverless, see Configure Network Access with Access Control Rules (ACLs) and Private Endpoints.

For information on how to access Autonomous Database on Dedicated Exadata Infrastructure, see Connect to Autonomous Database.

For information on TLS walletless connections for Autonomous Database on Dedicated Exadata Infrastructure, see Prepare for TLS Walletless Connections.

For information on how to create a Database Management private endpoint, see Create a Database Management Private Endpoint for Autonomous Databases.

For information on NSGs and Security Lists, see Access and Security.

Once you download the wallet, you must extract the wallet_<databasename>.zip file and save the SSO wallet, cwallet.sso file in a Vault service secret. This secret can then be uploaded when enabling Diagnostics & Management for the Autonomous Database. Note that if you've not created a secret with the cwallet.sso file, you can also do so when enabling Diagnostics & Management.

For information on the Vault service, its concepts, and how to create vaults, keys, and secrets, see Vault.